Silver bullet thinking won’t keep data safe – The case of Capital One
How to avoid the mistake made in causing Capital One’s data breach and how one solution isn’t enough in a solid data security strategy.
Unless you’re living off the grid (wherein you likely wouldn’t read this), you know there’s been yet another high-profile data breach, this time involving Capital One customers in the United States and Canada. Though we’re still piecing together the alleged hacker’s motives for leaking a massive amount of personal and sensitive data, some coverage of this incident focuses on one thing – Capital One turned to Amazon Web Services (AWS) to store data, believing this would keep their data safe.
It’s easy to say in a post-breach world that this thinking was flawed, but here’s the thing – this thinking is pervasive across enterprises worldwide and always has been. A few years ago, enterprises flocked to the next-generation firewall (NGFW) as the one, true solution that would solve their security woes. And while NGFWs play a critical piece in successful data protection strategies, they are just that – one piece. Now, many look to the cloud for the same reason. What these enterprises fail to consider is that one solution – a ‘silver bullet,’ as they say – will never be enough to keep their data safe. There are two key reasons behind this:
1.) Keeping Data Safe Means Putting Data FIRST – From Capital One to Marriott, it appears much of the conversation around data breaches focuses on access. Who had access? Did someone compromise their credentials? What solution was in place to limit or restrict access? And look – access controls are important, they are one piece of an effective data security strategy. It is critical to ensure there are solutions in place that look at the complete life cycle of the data, including what data is sensitive, who has access, where the data is shared (on premises, in the cloud, etc.), if there are copies of this data and where they reside, and what protections are already in place. This is especially important for personal or sensitive data. Once an organization has a handle on this, additional protections can be put in place to ensure the most sensitive or personal data remains secured.
2.) Data Security Requires a Multi-Solution Strategy – I’ve said it before and I’ll say it again: enterprises must abandon the idea that one solution will solve all of their security challenges. A truly effective security strategy requires multiple solutions that work together to protect the most sensitive data at every step, from creation through archiving. This might include Data Loss Prevention (DLP) solutions, Cloud Access Security Brokers (CASBs), encryption, NGFWs, and more.
I’d love to be able to say that the Capital One breach will be a watershed moment that causes enterprises worldwide to reconsider their data security strategies, implementing an end-to-end approach that secures sensitive data throughout its lifecycle, but that probably isn’t true. What I can say is that this should be a reminder for enterprises that implementing a ‘silver bullet’ solution when it comes to security will never be a successful strategy.
If your enterprise wants to take a fresh look at its data security strategy but doesn’t know where to start, contact us.